b'         i\n     ,\n    ,(\n!\n\n\n\n\n                                                                     us. OFFICE OF PERSONNEL MANAGEMENT\n                                                                                 OFFICE OF THE INSPECTOR GENERAL\n                                                                                                  OFFICE OF AUDITS\n\n\n\n\n                                                  Final Audit Report\n\n\n             Subject:\n\n\n             -AUDIT OF TIIE.INFQRMATION TECHNOLOGY\n\n                        SECURITY CONTROLS OF THE\n\n               U.S. OFFICE ()FPE;Rs()NN~LMANAGEMENT\'S\n\n                      ENTERPRISE IIUMANRESOURCES\n\n                    --INTEGRATION DATA WAREHOUSE\n\n                                 FY 2009\n\n\n\n\n\n                                                          Date:                 _June 1, 2QQ9\n\n\n\n\n                                                                           --CAUTION--\n             Tlsblllldil reporthu b~tll lfi\'itribllttd III F~okrlll liffidll, wh" ueniIWP"ibk f{lr \'k( a,JllIini.!lutjQlIl\'If the IU\\liNd prl/traDI_ TJt;s auait\n             tcptirl1\'lll)\' to8laill pr(ll\'rittlry dit311\'hkb i5 prottued by Fe-<leul bw (1$ U.S.C.l9fl5-); lhtrd,Jrc. while this olldit npMi i! n\'IHable\n             Indet llir FrerdOfq of Illformal;M Aft, UlltiO" Dred5 h:l be nu\'t;i,e\\l htfort nltuicg llltnpott 10 f,ht general (lablie.\n\x0c                             UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n\n                                               Washington. DC 20415\n\n\n\n   Ollk.t. (If lhf\nInspr\xc2\xa3lOl (;\'-\'l\\c~\'d\n\n\n                                               Audit Report\n\n\n                                U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n                           AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n\n                        CONTROLS m-THE U.S. OFFICE a.\' PERSONNEL MANAGEMENT\'S\n\n                              ENTERPRISE HUMAN RESOURCES INTEGRATION\n\n                                           DATA WAREHOUSE\n\n                                                FY2009\n\n\n                                              WASHINGTON, D.C.\n\n\n\n\n                                      Report No. 4A-HR-OO-09-033\n\n\n                                      Date:          .June   1   ,   2009\n\n\n\n\n                                                                       Michael R. Esser\n                                                                       Assistant Inspector General\n                                                                         for Audits\n\n\n\n          "\'W"_"l""_\'\xc2\xb7;~v\n\x0c                              UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n                                                Washington, DC 20415\n\n  Office of the\nIlISpectur GllneraJ\n\n                                          Executive Summary\n\n                                U.S. OFFICE OF. PERSONNEL MANAGEMENT\n\n\n                         AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n\n                      CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n\n                            ENTERPRISE HUMAN RESOURCES INTEGRAnON\n\n                                         DATA WAREHOUSE\n\n                                               FY 2009\n\n\n                                              WASHINGTON, D.C.\n\n\n\n                                      Report No. 4A-HR-OO-09-033\n\n\n                                      Date:           June 1, 2009\n\n        This final audit repOJ1 discusses the results of our review afthe information technology security\n        controls of the Enterprise Huma.n Resources Integration Data Warehouse (EHRIDW) System.\n        OUf conclusions are detailed in the "Results" section of this report.\n\n        The results of our audit are summarized below:\n\n        \xe2\x80\xa2\t A self-assessment was not required for EHRlDW in fiscal year (fY) 2008. The Office of the\n           Inspector General (OIG) will verify that a current self-assessment of National Institute of\n           Standards and Technology (NIST) Special Publication 800-53 controls is conducted for this\n           system as part of the FY 2009 general Federal Information Security Management Act audit\n              process.\n        \xe2\x80\xa2\t A risk assessment was performed for EHRlDW that encompasses the nine primary steps\n           outlined in NIST guidance.\n        \xe2\x80\xa2\t The EHRIDW information system security plan was prepared in accordance with the fonnat\n           and methodology outlined in NIST guidance.\n        \xe2\x80\xa2\t An independent system security test and evaluation was conducted for EHRlDW.\n        \xe2\x80\xa2\t EHRIDW was certified and accredited in FY 2009 in accordance with NIST guidance.\n\n\n\n\n         WW .... OIl"\'\xc2\xb7GO~\t                                                                    ...ww.usojobs.go.\n\x0c\xe2\x80\xa2\t The EHRIDW contingency plan is routinely maintained and tested in accordance with NIST\n   Guidance.\n\xe2\x80\xa2\t An impact analysis based on the Federal Information Processing Standards Publication 199\n   was completed for EHRIDW ill accordance with NIST guidance. The OlG agreed with the\n   "high" classification of the system.\n\xe2\x80\xa2\t One of the 13 security controls tested by the OIG was not implemented for EHRIDW.\n\xe2\x80\xa2\t The 2009 second quarter Plan of Action and Milestones for EHRIDW appeared to be\n   properly maintained in accordance with Office ofPersormel Management policy and\n   guidance from the U.S. Office of Management and Budget.\n\n\n\n\n                                             11\n\x0c                                           Contents\n\n\nExecutive Summary                                                                         .i\n\nIntroduction                                                                                  I\n\nBackground                                                                                    I\n\nObjectives                                                                                    1\n\nScope and Methodology                                                                         2\n\nCompliance with Laws and Regulations                                                          3\n\nResults                                                                                       4\n\n    1. Self-Assessment...                                                                 .4\n\n    II. Risk Assessment                                                                   .4\n\n   III. Information System Security Plan                                                  .4\n\n   IV. Independent Security Test and Evaluation                                               5\n\n    V. Certification and Accreditation                                                    6\n\n   VI. Contingency Planning                                                               6\n\n  VII. Federal Information Processing Standards Publication 199 Analysis                  6\n\n VIII. NIST SP 800-53 Evaluation                                                          7\n\n   IX. Plan of Action and Milestones Process                                                  8\n\nMajor Contributors to This Report                                                        10\n\n\n\nAppendix: Human Resources Line of Business\' April 10,2009 response to the OIG\'s draft audit\n          report, issued March 26, 2009.\n\x0c                                         Introduction\n\nOn December 17,2002, President Bush signed into law the E-Government Act (p.L. 107-347)\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (IG) evaluations, (3) agency\nreporting to tlle Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress summarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the information technology\n(IT) security controls related to the Office of Personnel Management\'s (OPM) Enterprise Human\nResources Integration Data Warehouse (EHRIDW).\n\n                                         Background\nEHRIDW is one of OPM\'s 4 I critical IT systems. As sueh, FISMA requires that the Offiee of\nthe Inspector General (OIG) perform an audit of IT seeurity controls of this system, as well as all\nof the agency\'s systems on a rotating basis.\n\nThe Human Resources Line of Business (HRLOB) has been designated with ownership of\nEHRIDW. EHRIDW is a repository for electronic personnel data of Federal employees and\nsupports several minor applications that are used for analytical purposes by human resources\nspecialists throughout the government.\n\nAlthough the EHRIDW application is owned and administered by OPM\'s HRLOB, the\ninfrastructure supporting EHRIDW\'s production environment is owned and maintained by the\nDepartment of the Interior\'s (DOl) National Business Center (NBC). The production\nenvironment is housed at the NBC facility in Ashburn, Virginia, and the development\nenvironment is housed at the NBC facility in Denver, Colorado. The technical infrastructure in\nplace at both NBC facilities has been certified and accredited by DO I.\n\nThis was our first audit of the seeurity controls surrounding EHRIDW. We discussed the results\nof our audit with HRLOB representatives at an exit conference.\n\n                                          Objectives\nOur overall objective was to perform an evaluation of security control~ for EHRIDW to ensure\nthat HRLOB officials have implemented IT security policies and procedures in accordance with\nstandards established by OPM\'s Center for Infonnation Services (CIS).\n\nThese policies and procedures are designed to assist program officc officials in developing and\ndocumenting IT security practices that are in substantial compliance with FISMA, as well as\nOMB regulations and the National Institute of Standards and Teclmology (NIST) guidance.\n\nOPM\'s IT security policies and procedures require managers of all major and sensitive systems\nto complete a series of steps to (I) certify that their system\'s infonnation is adequately protected\nand    authorize the system for operations. The overall audit objective was accomplished by\n\n\n                                                  I\n\n\x0creviewing the degree to which a variety of these security program steps have been implemcntcd\nfor EHRIDW, including:\n\n\xe2\x80\xa2\t   Annual Self Assessments;\n\xe2\x80\xa2\t   Risk and Vulnerability Assessments;\n\xe2\x80\xa2\t   Information System Security Plans;\n\xe2\x80\xa2\t   Independent Security Test and Evaluation;\n\xe2\x80\xa2\t   Certification and Accreditation;\n\xe2\x80\xa2\t   Contingency Planning;\n\xe2\x80\xa2\t   Federal Information PI1,lcessing Standards Publication 199 (FIPS 199) Analysis;\n\xe2\x80\xa2\t   Evaluation ofNIST Special Publication (SP) 800-53 Security Controls; and\n\xe2\x80\xa2\t   Plan of Action and Milestones Process.\n\n                                 Scope and Methodology\nOur performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts ofHRLOB officials\nresponsible for EHRIDW, including IT security controls in place as of February 2009.\n\nWe considered the EHRIDW internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives ofOPM\'s HRLOB office and other\nprogram officials with EHRIDW security responsibilities. We reviewed relevant OPM IT\npolicies and procedures, Federal laws, OMB policies and guidance, and NIST guidance. As\napPropriate, we conducted compliance tests to determine the extent to which established controls\nand procedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of\nEHRIDW are located in the "Results" section ofthis report. Since our audit would not\nnecessarily disclose all significant matters in the internal control structure, we do not express an\nopinion on the EHRIDW system of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2\t aPM IT Security Policy;\n\xe2\x80\xa2\t OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2\t E-Government Act of 2002 (P.1. 107-347), Title III, Federal Information Security\n   Management Act of2002;\n\xe2\x80\xa2\t NIST SP 80G-12, An Introduction to Computer Security;\n\xe2\x80\xa2\t NIST SP 800- I8 Revision I, Guide for Developing Security Plans for Federal Information\n   Systems;\n\n                                                  2\n\x0c\xe2\x80\xa2\t NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n   Information Systems;\n\xe2\x80\xa2\t NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n   Systems;\n\xe2\x80\xa2\t NIST SP 800-60 Volume II, Guide for Mapping Types ofInformation and Information\n   Systems to Security Categories;\n\xe2\x80\xa2\t Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization\n   of Federal Information and Information Systems; and\n\xe2\x80\xa2\t Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various information\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was performed by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from January through\nMarch 2009, in OPM\'s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we performed tests to determine whether HRLOB\'s management of\nEHRIDW is consistent with applicable standards. Nothing carne to the OIG\'s attention during\nthis review to indicate that HRLOB is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\n\x0c                                                Results\n     This section details the results of our audit ofEHRIDW.\n\nI.        Self-Assessment\n          FISMA requires that IT security controls of each major application owned by a Federal\n          agency be tested on an annual basis. In September 2008, an independent contractor tested\n          the degree to which the management, operational, and technical controls outlined in NIST\n          SP 800-53 have been implemented for EHRIDW (see section IV, below). Therefore, an\n          internal self-assessment of these controls was not required in fiscal year (FY) 2008.\n\n          The OIG will verify that a self-assessment ofNIST SP 800-53 controls is conducted for\n          this system during FY 2009 as part of the general FISMA audit process.\n\nII.       Risk Assessment\n\n          An effective risk management process is an important component of a successful IT\n          security program. NIST defines risk management as "the process of identifying risk,\n          assessing risk, and taking steps to reduce risk to an acceptable level." NIST SP 800-30,\n          Risk Management Guide for Information Technology Systems, offers a systematic\n          approach for conducting risk assessments that includes the following nine steps:\n           \xe2\x80\xa2   System Characterization;\n           \xe2\x80\xa2   Threat Identification;\n           \xe2\x80\xa2   Vulnerability Identification;\n           \xe2\x80\xa2   Control Analysis;\n           \xe2\x80\xa2   Likelihood Determination;\n         \xe2\x80\xa2.\xe2\x80\xa2   Impact Analysis;\n           \xe2\x80\xa2   Risk Determination;\n           \xe2\x80\xa2   Control Recommendations; and\n           \xe2\x80\xa2   Results Documentation.\n\n          A risk assessment was performed for EHRIDW by a contracted vendor in November 2008\n          that encompassed each of the elements outlined above.\n\n          In addition, a privacy impact assessment (PIA) was completed and signed for EHRIDW in\n          November 2008. A PIA is used to ensure no collection, storage, access, use, or\n          dissemination of personally identifiable information occurs that is not needed or permitted.\n\nIII.      Information System Security Plan\n          The completion of an information system security plan (ISSP) is a requirement of OMB\n          Circular A-130 Appendix III, Security of Federal Automated Information Resources. The\n\n\n\n                                                     4\n\n\x0c      EHRIDW ISSP was developed in accordance with NIST SP 800-18, Guide for Developing\n      Security Plans for Federal Infonnation Systems.\n\n      The lSSP for EHRIDW was prepared in accordance with the fonnat and methodology\n      outlined in NIST SP 800-18, and contained all major elements suggested by the guidance.\n      The EHRIDW ISSP was completed by a contracted vendor, and was finalized in November\n      2008.\n\nIV.   Independent Security Test and Evaluation\n      A security test and evaluation (ST&E) was completed for the EHRIDW during September.\n      2008 as part the system\'s FY 2009 certification and accreditation (C&A) process. The\n      ST&E was conducted by Carson Associates, a company independent of OPM and the DOI\n      NBC that hosts EHRIDW. The OIG verified that the test included a review of the\n      appropriate management, operational, and technical controls required for a system with a\n      "high" security eategorization according to NIST SP 800-53 Revision 2, Recommended\n      Security Controls for Federal Infonnation Systems.\n\n      Several NIST SP 800-53 controls were identified by Carson Associates as not applicable to\n      the EHRIDW certification and accreditation. Carson Associates stated that these controls\n      related to the hardware infrastructure maintained by the NBC, and therefore referred to the\n      NBC C&A package for an assessment ofthese controls. \'The OIG evaluated the\n      appropriateness of deferring these controls to the NBC, and did not disagree with Carson\n      Associate\'s assessment.\n\n      In addition, several NIST SP 800-53 controls are related to agency-level policy and\n      procedure requirements. When reviewing these eontrols, Carson Associates referred to the\n      C&A package for the Electronic Official Personnel Folder (eOPF) application, which in\n      turn referred to the relevant OPM IT security policy or procedure posted on OPM\'s internal\n      web site. However, several of the policies referenced in the eOPF ST&E are extremely\n      outdated, and the OIG believes that this represents a security weakness to any IT system\n      that is subject to the guidance outlined in these documents. The maintenance of these\n      policies and procedures is the responsibility ofOPM\'s CIS. The OIG recommended in\n      its FY 2008 FISMA audit report that these documents be updated, and therefore will not\n      include this weakness as an audit finding in this report. However, HRLQB should evaluate\n      the impact that any outdated information contained in these policies has on the security\n      controls ofEHRIDW.\n\n      The remaining NIST SP 800-53 controls were within the scope of the ST&E and Carson\n      Associates determined whether each control was satisfied or not satisfied. Carson\n      Associates presented a copy of the evaluation results to HRLOB, and helped the program\n      office incorporate the identified weaknesses into the EHRIDW risk assessment.\n\n\n\n\n                                                5\n\n\x0cV.    Certification and Accreditation\n      NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n      Infonnation Systems, states that certification is a comprehensive assessment that attests\n      that a system\'s security controls are meeting the security requirements of that system, and\n      accreditation is the official management decision to authorize operation of an infonnation\n      system and accept its risks. EHRIDW was certified and accredited on November 20, 2008,\n      in accordance with NIST SP 800-37 requirements.\n\n      OPM\'s CertifYing Official and IT security officer evaluated the security-related\n      documentation that HRLOB provided in the certification package. The CertifYing Official\n      stated that the requirements for certification have been satisfied and suggested that the\n      program office detennine whether it is appropriate to fonnally accept certain risks\n      identified during th.e C&A process.\n\n      The certification package was also reviewed by the Director ofHRLOB, who was acting as\n      the system\'s Authorizing Official. The Authorizing Official reviewed the security controls\n      that have been implemented for the system, weighed the remaining residual risks against\n      the operational requirements, and granted a three year Authorization to Operate to the\n      EHRIDW major application.\n\nVI.   Contingency Planning\n\n      NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n      contingency planning, execution, and testing are essential to mitigate the risk of system and\n      service unavailability. The OPM IT security policy requires that OPM general support\n      systems and major applications have viable and logical disaster recovery and contingency\n      plans, and that these plans are annually reviewed, tested, and updated.\n\n      The EHRIDW is hosted at the DOl NBC. In the event of a disaster, the NBC will perfonn\n      all tasks associated with restoring communications, network infrastructure, servers, and\n      applications. The OPM/HRLOB Operations Team has been assigned the responsibility to\n      provide oversight, guidance, application-specific configurations, and application\n      functionality testing during the disaster recovery process.\n\n      The contingency plan developed for EHRIDW has been tested and reviewed in accordance\n      with NIST SP 800-34 by both the NBC and HRLOB. The plan addresses all of the key\n      elements outlined in the NIST guidance.\n\nVII. Federal Information Processing Standards Publication 199 Analysis\n\n      FIPS 199, Standards for Seeurity Categorization of Federal Infonnation and Infonnation\n      Systems, requires the development of standards for categorizing infonnation and\n      infonnation systems to ensure that the appropriate levels of infonnation security controls\n      are implemented. NIST SP 800-60 Volume II, Guide for Mapping Types oflnfonnation\n      and Infonnation Systems to Security Categories, provides additional guidance for\n\n                                                 6\n\x0c     understanding the security objectives and impact levels identified in FIPS 199 by defining\n     infomlation types and deterrnilJing each category\'s impact.\n\n     A security categorization and analysis was performed for EHRIDW that was based on both\n     BPS 199 and NIST SP 800-60 Volume II. The FIPS 199 analysi, considered the potential\n     level of impact (low, moderate, high) that would result from a loss of confidentiality.\n     integrity, or availability of each of the information types. The DIG detemlined that this\n     evaluation was adequate and agrees with the overall security categorization of high for\n     EHRIDW.\n\nVIII. NIST SP 800-53 Evaluation\n\n     N1ST SP 800-53 provides guidance for implemenling a variety of security controli;: for\n     jnfonnation systems supporting the Federal government. These controls arc organized into\n     thrce classes -(management, operational, and tedmical). The OIG tested a subset of these\n     controls for EHRIOW as part of this alloH, including:\n\n     \xe2\x80\xa2   AC\xc2\xb72: Account Management                   \xe2\x80\xa2   CM-4: Monitoring Configuration Changes\n     \xe2\x80\xa2   AC-7: Unsuccessful Login Attempts          \xe2\x80\xa2   lA-5: Authenticator Management\n     \xe2\x80\xa2   AC-I ]: Sessioll Lock                      \xe2\x80\xa2   IR\xc2\xb72: Jncident Response Training\n     \xe2\x80\xa2   AC\xc2\xb713: Supervision and Review              \xe2\x80\xa2   LR-5: Incident Monitoring\n     \xe2\x80\xa2   AU-2: Auditable Events                     \xe2\x80\xa2   IR-6: Incident Reporting\n     \xe2\x80\xa2   AU--6: Audit Monitoring                    \xe2\x80\xa2   RA\xc2\xb75: Vulnerability Semming\n     \xe2\x80\xa2   CM-3: Configuration Cbange Control\n\n     These controls were evaluated by interviewing individuals with EHRIDW security\n     responsibilities, reviewing documentation and system screenshots provided by HRLOB,\n     and tests conducled on the system directly by the DIG.\n\n     Although the majority ofNJST SP 800-53 controls appeared to be implemented for\n     EHR rnw, several tested controls related to system auditing                     and\n     incident response                   had not been implemented for this system. These\n     control weaknesses were previously identified by HRLOB, and were appropriately\n     included in the EHRIDW plan of action and milestones (POA&M). However, these\n     POA&M items are over 120 days old and should be considered a high priority for HRLOR\n\n     .The 01G detennined that one control,_ has Dot been implemented and is not included\n      on the EI-lR1DW POA&M. In prior years, HRLOB periodically evalualed lhe\n      appropriateness of active EHRJDW user accounts\n\n                                . However, this process no longer appears to be in place, as it has\n     been over one year since the last review of active user accounts. Failure to routinely audit\n     user accounts for appropriateness increases the risk that unauthorized individuals can\n     access sensitive data on the system.\n\n\n\n                                                7\n\x0c      Recommendation I\n      We recommend that HRLOB routinely audit active EHRIDW user accounts for\n      appropriateness.\n\n      HRLOB Response:\n      "The Program Office concurs with this recommendation. ..\xe2\x80\xa2 In response to the OIO\'s\n      recommendation, the Program Office will ensure that it conducts reviews ofactive user\n      accounts every six months as suggested in the Risk Assessment and documented in the\n      POA&M so that the risk ofunautllorized access to sensitive system data is reduced. The\n      Program Office expects to have tllis in place by August 1,2009."\n\nIX.   Plan of Action and Milestones Process\n      A POA&M is a tool used to assist agencies in identifying, assessing, prioritizing, and\n      monitoring the progress of corrective efforts for IT security weaknesses. OPM has\n      implemented an agency-wide POA&M process to help track known IT security weaknesses\n      associated with the agency\'s infonnation systems.\n\n      HRLOB submitted a current POA&M to OPM\'s CIS in November 2008. The OlG\n      evaluated the following aspects of this POA&M:\n\n         Prioritization of Weaknesses\n\n         HRLOB uses the POA&M template provided by OPM\'s CIS to track security control\n         weaknesses of EHRIDW. This template facilitates the prioritization of POA&M\n         weaknesses, and HRLOB appears to be prioritizing its weaknesses per OPM policy and\n         FISMA requirements.\n\n         Proof of Closure\n\n         The EHRIDW POA&M indicates that several security weaknesses were recently\n         corrected and the POA&M item was closed. The OlG evaluated the "proof of closure"\n         documentation that was submitted to OPM\'s CIS/CIO at the time the POA&M item was\n         closed.\n\n         We requested proof of closure evidence for a sample of six POA&M items closed\n         between December 31, 2007 and January 14,2009. Of the six items requested, the OlG\n         was only provided adequate proof of closure documentation for four of the POA&M\n         items. Prior to June 2008, OPM\'s CIS/CIO did not have a well defined process for\n         documenting POA&M proof of closure; this weakness was documented in the OIG\'s\n         FY 2008 FISMA report. The four items that were missing were closed before June\n         2008, and the two that were provided were closed after June 2008. The OIG believes\n         that this indicates that controls related to documenting proof of closure are currently in\n         place for EHRlDW. As part of the FY 2009 general FISMA audit, OlG will verify that\n         HRLOB continues to submit proof of closure documentation to CIS/CIO.\n\n\n                                                8\n\x0c   Including All Identified Weaknesses in POA&M\n\n   As mentioned in section IV, above, Carson Associates conducted an independent ST&E\n   of the NIST SP 800-53 controls in place for EHRlDW. Carson identified at least 40\n   controls that were not fully implemented on the EHRlDW. A copy of the test results\n   werc presented to the HRLOB program office, and the results were incorporated into\n   the EHRlDW risk assessment.\n\n   However, none of the weaknesses identified by Carson were included on the FY 2009\n   first quarter EHRlDW POA&M (dated November 1, 2008). This was brought to the\n   attention ofHRLOB during the fieldwork phase of this audit. In February 2009,\n   HRLOB submitted an updated copy ofthe EHRlDW POA&M to the OIG, and we\n   verified that the security weaknesses identified during the ST&E were now included in\n   thePOA&M.\n\n   .The OIG is not aware of any other recent security assessments ofEHRlDW that could\n    lead to the identification of potential POA&M items.                           .\n\nNothing came to our attention during this evaluation to indicate that there are any current\nweaknesses in HRLOB\'s management ofPOA&Ms.\n\n\n\n\n                                           9\n\n\x0c                                Major Contributors to This Report\n\n\nTbis audit report was prepared by the U.S. Office ofPersonllei Management, Office of Inspector\nGeneral, Infonnation Systems Audits Group. The following individuals participated in the audlt\nand the preparation of this report:\n\n\xe2\x80\xa2                  , Group Chief\n\n\xe2\x80\xa2                       I   Auditor-in~Charge\n\n\xe2\x80\xa2                   >   lnfonnation Technology Auditor\n\n\n\n\n    ..   \'.\n\n\n\n\n                                                10\n\n\x0c                                                   Appendix\n\n                                UNITBD STATES OFFlCE .OF PERSONNEL MAN:AGEMENT\n\n                                                  Wfl3hU!gtOO; DC ~lS\n\n\n\n()f\'5Q,of~.II~.\n_H.......   ~\n\n  U.olB...a-\n\n     MEMORANDUM F O R _\n                                     ~ystemsAudits Group\n\n     FROM:\n                                     Program Director. Enterprise man\'R;;;;\\ut;::;\n                                     Human .Resources Line of Business\n\n      S~bject\t                       Program Office Response.o O!G Repon Number 4A\xc2\xb7HR-OO-09.Q33,\n                                     "Audit of the Infonnation Technology Sc;<:urity Control~ of the-U.S.\n                                     Office of PCJSOnnel. Management\'s Enterprise Human Resoure6s\n                                     Integration Data Warehouse"\n\n      Thank you for the opportunity to ~mment on the Office of the l~tor General (010) Draft\n      Repo.rf. "Auc:lit oEthe Information Technology Se.curHy Controls of tile U.S.. Office ofP~nl\')_el\n      Management\'s Enterprise Human"Rcsomces Integration Data W~ousc ..\xe2\x80\xa2\n\n      The Human Resomees Line of BusIness (mU.OB) Enterprise Human Resourees.lntegnUion _\n      (EHRI) Program Office has revjcwed the repo,rt and ag~ with the findIngs, conclusions,. and\n      re(,"QmmcmJatiom, prescnred. TIle Program Office is committed to resolving all ,outJitanding IT\n      security-related is.sues in a timely manner. Specifically, the Program Office will take the\n      foUowing,actiollS 10 address the following 010 recommC\'.ndation:\n\n      Recommendation I: The DIG recommends ttwt HRLOB routinely audit active EBRl Data\n      War~housc, (DW) user accounts for approprjateness.\n\n     11le Progrnm Office cOncurs with tius recommendation. TIle Nationollnstitute ofSta.ndards and\n     TcchnQlogy (N1Sn Specinl Publication (SP) 800-53 security control.AC~2 that corresponds to\n     this recommendation was identified as "partially Satisfied" during security controls testing on\n     August 28, 2008. Consequently, the EHRI DW Risk Assessment, d!lted November 19,2008,\n      identified a medium-risk vulnernbility related to this control, and the vulnerability was added to\n     the EHRI DW Plan of Action and Milestones (pOA&M) as Item MJ7. To address this\n     \\\'ulnerabiiity, the Risk Assessment recoounendation states that EHRI should mak~ use of an\n     automated process to review EHRl DW user accounts and fully documeDt how it reviews EHRl\n     -OW accounts every six months. This documentation should include details on bow acCess\n     authorization forms are kept up-to-date and how nuthorization forms are kept in sync: with nctmil\n     system righrs and privileges. In response to the DIG\'s reconmlendalion, tbe Pto&J"UD Office will\n     ensure that it conducts reviews of active \\.ISer accoWlts every six months as suggested in \'-he Risk\n     AssessmcnI and documented in the POA&M so that the risk ofunaulhorized access to sensitive\n     SystCUI data is n::duced. The Program Office Ck-pects to have this in place by August 1.2009.\n\n\n\n\n        ........10....\' . . \n\n\x0cLEWIS F. PARKER                                                      2\n\nce:\t Janet L. Barnes\n     Deputy Associate Director\n     Center tor Information Services and Chief Information Officer\n\n\n        Infonnation Technology Specialist\n        Center for Information Serv"iceS\n\n        David M. Cushing\n        Deputy Chief Financial Officer\n\n\n        Human Resources Line ofBusiti~\n\n\n\n\n.\' .,\n\x0c'